tags:

views:

21

answers:

2

Hello,

I have to deal with certificates issued by the Swiss post office on USB tokens. There deliver two certificates on the same token. In their intended usage fields, one has "non repudiation" and the other "digital signature".

Now, I can't understand what the practical difference between the two are: I've always seen both in the same certificate, never two certs for the same identity each with one of the roles. In fact, I can't imagine a scenario where non-repudiation and digital signature aren't the same, for all practical matter, the same thing.

Could anyone explain to me what the difference is, please ? And if you had a suggestion about in what situation one should be picked over the other, that would help as well.s

+1  A: 

Interesting question, and your thoughts match my own.

I've found a reference at IBM here about key usage, but I still can't really get my head around the distinction.

The best that I can phrase my understanding having read the article is that a non-repudiation usage means "I really meant to sign this, and I really understand the implications of signing this."

Sorry this isn't a complete answer, but I hope it helps.

Neil Moss
Thanks for the link. It point in the same direction as what I suspected: Non-repudiation is a limited subset of digital signature.
Stephane
A: 

I talk to the guy who implemented it and, apparently, they intended the "non-repudiation" cert for /really/ signing documents and the "digital signature" one to be used for authentication.

Stephane